rpms / nss-pam-ldapd

Clone
Source Code
GIT

Blame SOURCES/0017-Backport-of-passing-expiration-controls-back-to-PAM-.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s
  1.   c7
  2.   SOURCES
  3.   0017-Backport-of-passing-expiration-controls-back-to-PAM-.patch
Blob History Raw
db96ff 
From 289cd5ab7d125c8eb4a5e85800ab8f5f54dc4519 Mon Sep 17 00:00:00 2001
db96ff 
From: Jakub Hrozek <jhrozek@redhat.com>
db96ff 
Date: Tue, 13 Aug 2019 22:06:12 +0200
db96ff 
Subject: [PATCH 17/23] Backport of passing expiration controls back to PAM
db96ff 
 client
db96ff
db96ff 
---
db96ff 
 nslcd/myldap.c | 11 +++++++++++
db96ff 
 nslcd/myldap.h |  5 +++++
db96ff 
 nslcd/pam.c    | 15 ++++++++++++---
db96ff 
 3 files changed, 28 insertions(+), 3 deletions(-)
db96ff
db96ff 
diff --git a/nslcd/myldap.c b/nslcd/myldap.c
db96ff 
index 64b7f13..9f6b4b0 100644
db96ff 
--- a/nslcd/myldap.c
db96ff 
+++ b/nslcd/myldap.c
db96ff 
@@ -1024,6 +1024,17 @@ void myldap_set_credentials(MYLDAP_SESSION *session,const char *dn,
db96ff 
   session->bindpw[sizeof(session->bindpw)-1]='\0';
db96ff 
 }
db96ff
db96ff 
+/* Get bind ppolicy results from the last bind operation. This function
db96ff 
+   returns a NSLCD_PAM_* code and optional message. */
db96ff 
+void myldap_get_policy_response(MYLDAP_SESSION *session, int *response,
db96ff 
+                                const char **message)
db96ff 
+{
db96ff 
+  if (response != NULL)
db96ff 
+    *response = session->policy_response;
db96ff 
+  if (message != NULL)
db96ff 
+    *message = session->policy_message;
db96ff 
+}
db96ff 
+
db96ff 
 static int do_try_search(MYLDAP_SEARCH *search)
db96ff 
 {
db96ff 
   int rc;
db96ff 
diff --git a/nslcd/myldap.h b/nslcd/myldap.h
db96ff 
index f118f72..3a99765 100644
db96ff 
--- a/nslcd/myldap.h
db96ff 
+++ b/nslcd/myldap.h
db96ff 
@@ -72,6 +72,11 @@ MUST_USE MYLDAP_SESSION *myldap_create_session(void);
db96ff 
 void myldap_set_credentials(MYLDAP_SESSION *session,const char *dn,
db96ff 
                             const char *password);
db96ff
db96ff 
+/* Get bind ppolicy results from the last bind operation. This function
db96ff 
+   returns a NSLCD_PAM_* code and optional message. */
db96ff 
+void myldap_get_policy_response(MYLDAP_SESSION *session, int *response,
db96ff 
+                                const char **message);
db96ff 
+
db96ff 
 /* Closes all pending searches and deallocates any memory that is allocated
db96ff 
    with these searches. This does not close the session. */
db96ff 
 void myldap_session_cleanup(MYLDAP_SESSION *session);
db96ff 
diff --git a/nslcd/pam.c b/nslcd/pam.c
db96ff 
index ee28725..40a8687 100644
db96ff 
--- a/nslcd/pam.c
db96ff 
+++ b/nslcd/pam.c
db96ff 
@@ -41,13 +41,15 @@
db96ff
db96ff 
 /* set up a connection and try to bind with the specified DN and password,
db96ff 
    returns an LDAP result code */
db96ff 
-static int try_bind(const char *userdn,const char *password)
db96ff 
+static int try_bind(const char *userdn,const char *password,
db96ff 
+                    int *authzrc, char *authzmsg, size_t authzmsgsz)
db96ff 
 {
db96ff 
   MYLDAP_SESSION *session;
db96ff 
   MYLDAP_SEARCH *search;
db96ff 
   MYLDAP_ENTRY *entry;
db96ff 
   static const char *attrs[2];
db96ff 
   int rc;
db96ff 
+  const char *msg;
db96ff 
   /* set up a new connection */
db96ff 
   session=myldap_create_session();
db96ff 
   if (session==NULL)
db96ff 
@@ -74,6 +76,13 @@ static int try_bind(const char *userdn,const char *password)
db96ff 
       log_log(LOG_WARNING,"%s: lookup failed: %s",userdn,ldap_err2string(rc));
db96ff 
     }
db96ff 
   }
db96ff 
+  /* get any policy response from the bind */
db96ff 
+  myldap_get_policy_response(session, authzrc, &msg;;
db96ff 
+  if ((msg != NULL) && (msg[0] != '\0'))
db96ff 
+  {
db96ff 
+    mysnprintf(authzmsg, authzmsgsz - 1, "%s", msg);
db96ff 
+    log_log(LOG_WARNING, "%s: %s", userdn, authzmsg);
db96ff 
+  }
db96ff 
   /* close the session */
db96ff 
   myldap_session_close(session);
db96ff 
   /* return results */
db96ff 
@@ -297,7 +306,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid)
db96ff 
     update_username(entry,username,sizeof(username));
db96ff 
   }
db96ff 
   /* try authentication */
db96ff 
-  rc=try_bind(userdn,password);
db96ff 
+  rc = try_bind(userdn, password, &authzrc, authzmsg, sizeof(authzmsg));
db96ff 
   if (rc==LDAP_SUCCESS)
db96ff 
     log_log(LOG_DEBUG,"bind successful");
db96ff 
   /* map result code */
db96ff 
@@ -308,7 +317,7 @@ int nslcd_pam_authc(TFILE *fp,MYLDAP_SESSION *session,uid_t calleruid)
db96ff 
     default:                       rc=NSLCD_PAM_AUTH_ERR;
db96ff 
   }
db96ff 
   /* perform shadow attribute checks */
db96ff 
-  if (*username!='\0')
db96ff 
+  if ((*username != '\0') && (authzrc == NSLCD_PAM_SUCCESS))
db96ff 
     authzrc=check_shadow(session,username,authzmsg,sizeof(authzmsg),1,0);
db96ff 
   /* write response */
db96ff 
   WRITE_INT32(fp,NSLCD_RESULT_BEGIN);
db96ff 
--
db96ff 
2.20.1
db96ff

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation